Search code examples
asp.net-coreidentityserver4

IdentityServer4 Signing Certificate Reference tokens

Getting errors when an api is trying to validate a reference token. Our identity server will serve reference tokens only. Why would a signing certificate be required. The error is keyset related.

System.InvalidOperationException: Policy error while contacting the discovery endpoint https://****.net/.well-known/openid-configuration: Keyset is missing
   at IdentityModel.AspNetCore.OAuth2Introspection.PostConfigureOAuth2IntrospectionOptions.GetIntrospectionEndpointFromDiscoveryDocument(OAuth2IntrospectionOptions Options)
   at IdentityModel.AspNetCore.OAuth2Introspection.PostConfigureOAuth2IntrospectionOptions.InitializeIntrospectionClient(OAuth2IntrospectionOptions Options)
   at IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler.LoadClaimsForToken(String token)
   at IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler.HandleAuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
   at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context)
   at Ips.Middleware.SerilogMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
Solution

  • Found the solution. You do not need to make changes to identity. The changes are to the api.

     services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
    .AddIdentityServerAuthentication(
    IdentityServerAuthenticationDefaults.AuthenticationScheme, 
    //Null if you do not want to support jwt bearer tokens
    null,
    options =>
    {
      options.Authority = "https://yourIdentityServer.com";
      //This is the key
      options.DiscoveryPolicy.RequireKeySet = false;
      options.ClientId = "xxxx";
      options.ClientSecret = "xxxx";
    });